CYBERSHEATH BLOG

As part of an ongoing series on using privileged account management solutions to meet DFARS requirements, CyberSheath’s security consultants have explored technical controls in great detail, providing readers with real world applications that make a meaningful impact. This week CyberSheath continues to explore NIST control 800-171, “separate the duties of individuals to reduce the risk of malevolent activity without collusion”.

Last week CyberSheath began a new series, “In-Depth Look at PAM Controls for DFARS Requirements”, dedicated to providing a detailed analysis on how privileged account management solutions play an important role for organizations in meeting DFARS requirements.

In previous blogs, CyberSheath security analysts have identified new cyber security requirements from the recent changes to DFARS and have provided solution overviews for meeting those requirements and regulations. The series “In-Depth Look at PAM Controls for DFARS Requirements” will expand on previously mentioned regulations and provide a more granular look at how privileged account management solutions can play an important role in meeting DFARS requirements.

Recently, Verizon released its 2016 Data Breach Report, which has served to assist the security community in managing risk and avoiding security incidents since 2008. In the report, one can find data on almost all aspects of the current cyber security risk landscape. With that being said, I was most intrigued by the findings related to phishing attacks, a form of social engineering that seeks to exploit an organization’s greatest risk – humans.

A list recently compiled by the cyber threat intelligence company Flashpoint (via Crain’s Chicago Business) reveals that law firms are not immune to cyber threats and are indeed active targets for today’s cyber criminals. Since January 2016, 48 elite law firms have been targeted by the criminal “Oleras” and his (or her) gang members attempting to access confidential client information for use in insider trading plots. While there has yet to be any indication that the hackers were successful, it raises the question of when law firms will be held to the same (or any) standards that are starting to be applied to other industries.

In August and December 2015, the Defense Federal Acquisition Register Supplement (DFARS) received updates that are crucial for the 10,000-plus defense contractors. If you have been following our blog, we first reported on the changes back in January. It is important to understand these changes and how they will affect your organization. These next series of blogs will attempt to view the DFARS updates from a high level. If you haven’t read last week’s post, you can do that here.

This week’s post will attempt to boil down the primary differences between NIST 800-53 r4 and 800-171. For starters, both documents are a set of standards published by the Nation Institute of Standards and Technology (NIST), a federal government organization that produces standards on a variety of topics, including information security. Back in 2013, when DFARS 252.204-7012 was issued as a final rule, it relied on NIST 800-53 r4 to be the de-facto standard that contractors must adhere to in order to meet DFARS compliance objectives of safeguarding Controlled Unclassified Information (CUI). In August of 2015, DFARS was updated and replaced its security control requirements. NIST 800-53 r4 was swapped out with NIST 800-171.

Building, maintaining, or transforming a cybersecurity program is hard work. But all situations need to begin with a plan. A plan that addresses the strengths, weaknesses, opportunities as well as threats that will transform into the roadmap guiding you in developing a successful cybersecurity program.

To help you begin, here are the elements of a cybersecurity program that in my experience are essential to long term, measurable success.

2 Essential Elements of an Effective Cybersecurity Program

1: Annual Standards Based Assessments

Of the many challenges security professionals face, the ability to explain what they do and how well they do it is one of the most persistent. It need not be this way. There are several notable standards or frameworks (e.g., NIST, SANS 20 Critical Security Controls, etc.) readily available for you to baseline your security program, explain your success, and create a vehicle for communicating strategically with the executives in your organization. Before you even select a standard it is important to understand and believe in the need for conducting an assessment on an annual basis.

Do a search for video games and information security and you will find countless comparisons to how these two seemingly disparate fields go hand-in-hand. I really like this article from last summer, as it examined not just video games, but organized sports and their influence on information security experts. In today’s world, video gaming is a billion dollar industry, there are professional video gamers, amateur video gamers who record their reviews, critiques and tips and put them on YouTube, and then there are the professionals (like me) who unwind from their day by playing a few rounds of Turning Point in Star Wars Battlefront.

While video games may heavily influence the world we live in, there are two specific video games that I think will help make your security program stronger. I will now explore how these can relate to your organization.

I'm always skeptical of survey numbers because you can't qualify the data or responses and there is no right answer as to how much to spend on security. However, there are best practices and industry standards that will ensure your organization is spending the money you have wisely.

4 Steps to Ensure a Wisely Spent Cybersecurity Budget

1: Make Security a Line Item in the Budget, Separate from IT

There is no right metric for security spend but you should at least be able to articulate what you are spending annually. With a defined security budget you can slice and dice anyway you want, as a percentage of IT spend, cost per employee, as a percentage of revenue, etc.